The Minister of the Malaysian Communications and Multimedia Commission (the Minister) has announced by Gazette that Malaysia’s Personal Data Protection Act 2010 (the PDPA) will finally take effect as of 15 November 2013, introducing a privacy regime in Malaysia for the first time. To accompany this announcement, a series of regulations have been issued to implement the provisions of the PDPA. Data controllers will have three months from the date of enactment to comply with the PDPA to avoid enforcement.

The Regulations on Classification of Data Users highlight that the PDPA requires certain organisations to register as data users with Malaysia’s new Personal Data Protection Commissioner. These include:

  • Banking and financial institutions
  • Communications service providers
  • Tourism and hospitality providers
  • Insurers
  • Real estate firms
  • Education bodies
  • Direct marketing organisations
  • Transportation firms
  • Utility providers

TheRegulations on Registration of Data Users sets out the costs of registration, which are valid for a period of 24 months prior to renewal. Failure to register as a data user could result in a fine of up to 500,000 Ringgit and imprisonment of up to three years.